Overview

overview

10

Static

static

113232ed76...98.vbs

windows7_x64

10

113232ed76...98.vbs

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898.vbs

  • Size

    14KB

  • MD5

    8eb68a7cde7da57b6bb46b479b371067

  • SHA1

    2e8c15856c3f76744c1d73d9ca90db19621263b4

  • SHA256

    113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898

  • SHA512

    01189fd288820c94c6aaaee42c50612c2da6761cf4f734a79cc5600bace0fd9cde82bb47bfa5d672bc3b737f3996778a532d6c4dde73dbfbd9bd4424148286aa

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 4 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\egyiisgvtqc.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:1216
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\35480122506617\poltturpwrpimwjix58893819689750.exe
    MD5

    689289ce154112fe8dbfc2674cf0c4c1

    SHA1

    d68495ccfbb01ff0e8e868e63a09aa3d83d4aa7d

    SHA256

    2a400cc629111018c9076639cab5e3268f0d5c22357380593b7c39d86e1e30c9

    SHA512

    3edfd9fa380a1b398e73c8dfac55eb2d5c64dc1cb74f599a1fadd2105d503bce8ff9f21804451725a12f286d6d649d9e458ac61edba10e4dbba62405d50225fd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\egyiisgvtqc.vbs
    MD5

    e6b93d809f2200a1f2ab4923069cf7cf

    SHA1

    866cabddfde63fe0e132abc5bb11b5521b46fa32

    SHA256

    0371814b236801c55ff69a7944f21d6139f05a8163d5e67f560f6932eb0024c7

    SHA512

    ec36d2a79fc015057770333ce8efe4470f9621914919680d60cf5644f19c7a1c832e09777c4dbbb8080d28627ae905073df6906a96099574dd2aff4c84f54d87

    Download Submit